You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Dale Bewley <da...@bewley.net> on 1997/04/09 17:30:02 UTC

suexec/339: suexec will not allow QUERY_STRINGS

	The contract type is `' with a response time of 3 business hours.
	A first analysis should be sent before: Wed Apr 09 12:00:02 PDT 1997


>Number:         339
>Category:       suexec
>Synopsis:       suexec will not allow QUERY_STRINGS
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Apr  9 08:30:02 1997
>Originator:     dale@bewley.net
>Organization:
apache
>Release:        1.2b8
>Environment:
RedHat 4.1
>Description:
CGIs seem to work fine until you add a ?query_string to them. 
Below are relevant entries from the SuExec cgi.log

WithOUT a query string
[10:25:08 09-04-97]: uid: (dale/dale) gid: (dale/dale) suexec-bug.cgi

WITH a query string
[10:25:13 09-04-97]: invalid target user name: (\~dale)

Relevant entry from the ScriptLog
%% [Wed Apr  9 10:25:13 1997] GET /~dale/suexec-bug.cgi?blah HTTP/1.0
%% 500 /home/dale/www/suexec-bug.cgi
%request
Connection: Keep-Alive
User-Agent: Mozilla/4.0b2 (X11; I; SunOS 5.4 sun4m)
Pragma: no-cache
Host: www.bewley.net
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
%response
>How-To-Repeat:
http://www.bewley.net/~dale/suexec-bug.cgi
http://www.bewley.net/~dale/suexec-bug.cgi?foo
>Fix:

>Audit-Trail:
>Unformatted: